Independent researchers are paying a lot of attention to the cybersecurity of a variety of medical devices from a number of vendors. Some of this work will soon result in a new methodology for assessing whether a security issue is likely to pose a danger to patients, says medical device cybersecurity researcher Billy Rios.

Rios is working with several organizations "trying to get a better understanding on how we can evaluate a cybersecurity issue [in a medical device] and determine whether it will cause patient safety issues," he says in an interview with Information Security Media Group.

"We want to present a formal methodology that someone can look at and say, 'Hey, we have this cybersecurity issue,' and instead of having to buy the device [and] take the device apart to determine whether or not the particular cybersecurity issue can be used to cause a patient safety issue, we can basically run it through this methodology."

This would allow the user of the methodology to say, "Based on what we've seen in the past, if we take this particular cybersecurity vulnerability, it means it could cause a patient safety issue in these following [medical device] products," he says. "You can then go to the vendor and ask, 'Can you verify this?'"

The methodology is expected to be available this year, says Rios, who previously identified medical device cybersecurity vulnerabilities that led the Department of Homeland Security and Food and Drug Administration to issue warnings. That includes an FDA alert last year urging hospitals to discontinue use of a family of infusion pumps from manufacturer Hospira due to a flaw that could potentially allow an unauthorized user to alter the dose the devices deliver (see FDA: Infusion Pumps Have Vulnerablities).

Malware Threats

One big challenge for the healthcare sector is identifying and mitigating medical device vulnerabilities before malicious hackers exploit the flaws. That includes hackers and other cybercriminals gaining access to networks by taking advantage of potential problems caused by malware running on outdated medical device operating systems, he says.

"One thing that is dangerous is the folks who are probably using malware to get access to data ... are probably not in a position to determine whether or not the device could cause patient safety issues," he says. "They probably don't care. They just want a foothold into someone's network and access to someone's data. That presents a very tricky situation.

"We have to systematically and objectively determine which security vulnerabilities present risks to patient harm and which present harm only to the IT infrastructure. Both are very important, but as a patient safety issue, we certainly have to treat them differently."

In the interview (see audio link below photo), Rios also discusses:

Why there are "thousands" of vulnerabilities that affect the cybersecurity of medical devices now in use;

The difficult challenges that CIOs and CISOs face in dealing with medical device cybersecurity issues;

Why medical device manufacturers need to do a better job of addressing cybersecurity throughout the life cycle of their products;

Action that the FDA and other agencies may take on medical device cybersecurity this year.

Rios is founder of the independent security research and services firm Whitescope. Before launching the company, Rios worked at several security consulting firms, including Qualys and Cylance Inc. He also previously worked as a security engineer and manager at Google and Microsoft.